This chapter presents procedures to help you set up and manage a Solaris system that is audited. This chapter also includes instructions for administering the audit trail. The following is a list of the information in this chapter.Solaris Auditing (Task Map) Configuring Audit Files (Task Map) Configuring and Enabling the Auditing Service (Task Map) Managing Audit Records (Task Map) For an overview of the auditing service, see Chapter 28, Solaris Auditing (Overview). For planning suggestions, see Chapter 29, Planning for Solaris Auditing. For reference information, see Chapter 31, Solaris Auditing (Reference). audit daemonauditd daemontask mapsauditingmanagingauditingadministeringauditingtask mapSolaris auditing task mapThe following task map points to the major tasks that are required to manage auditing. The tasks are ordered.Task Description For Instructions 1. Plan for auditing Contains configuration issues to decide before you configure the auditing service. Planning Solaris Auditing (Task Map) 2. Configure audit files Defines which events, classes, and users require auditing. Configuring Audit Files (Task Map) 3. Configure and enable auditing Configures each host for disk space and other auditing service requirements. Then, starts the auditing service. Configuring and Enabling the Auditing Service (Task Map) On a host that has installed non-global zones, configure one auditing service for the system, or one auditing service per zone. Configuring the Auditing Service in Zones (Tasks) 4. Manage audit records Collects and analyzes the audit data. Managing Audit Records (Task Map) task mapsconfiguring audit files configuringaudit files task map The following task map points to the procedures for configuring files to customize auditing at your site. Most of the tasks are optional.Task Description For Instructions Select audit classes, and customize audit_control settings Involves:Preselecting system-wide audit classes Specifying the audit directories for each system Setting disk space limits on audit file systems How to Modify the audit_control File (Optional) Log audit events in two modes Enables you to monitor audit events in real time, in addition to storing audit records in binary format. How to Configure syslog Audit Logs (Optional) Change audit characteristics for users Sets user-specific exceptions to the system-wide preselected audit classes. How to Change a User's Audit Characteristics (Optional) Add audit classes Reduces the number of audit records by creating a new audit class to hold events. How to Add an Audit Class (Optional) Change event-to-class mappings Reduces the number of audit records by changing the event-class mapping. How to Change an Audit Event's Class Membership configuringaudit files audit filesconfiguring Before you enable auditing on your network, you can customize the audit configuration files for your site auditing requirements. You can also restart the auditing service or reboot the local system to read changed configuration files after the auditing service has been enabled. However, the recommended practice is to customize your audit configuration as much as possible before you start the auditing service.If you have implemented zones, you can choose to audit all zones from the global zone. To differentiate between zones in the audit output, you can set the zonename policy option. Alternatively, to audit non-global zones individually, you can set the perzone policy in the global zone and customize the audit configuration files in the non-global zones. For an overview, see Auditing and Solaris Zones. For planning, see How to Plan Auditing in Zones.changingaudit_control file configuringaudit_control file audit_control fileconfiguring configuration filesaudit_control file selectingaudit classes preselectingaudit classes audit classespreselecting The /etc/security/audit_control file configures system-wide auditing. The file determines which events are audited, when audit warnings are issued, and the location of the audit files. &rolePAstep;Save a backup copy of the audit_control file.# cp /etc/security/audit_control /etc/security/audit_control.orig Modify the audit_control file for your site.Each entry has the following format:keyword:valuekeywordDefines the type of line. The types are dir, flags, minfree, naflags, and plugin. The dir line can be repeated.For explanations of the keywords, see the following examples. For an example of a plugin entry, see How to Configure syslog Audit Logs valueSpecifies data that is associated with the line type. The flags line in the audit_control file defines which classes of attributable events are audited for all users on the system. The classes are separated by commas. White space is allowed. In this example, the events in the lo class are audited for all users.# audit_control file dir:/var/audit flags:lo minfree:20 naflags:loTo see which events are in the lo class, read the audit_event file. You can also use the bsmrecord command, as shown in Example 30–25. In this example, all events in the na class, and all login events that are not attributable, are audited.# audit_control file dir:/var/audit flags:lo minfree:20 naflags:lo,na naming conventionsaudit directoriesThe dir lines in the audit_control file list which audit file systems to use for binary audit data. In this example, three locations for binary audit data are defined.# audit_control file # # Primary audit directory - NFS-mounted from audit server dir:/var/audit/egret.1/files # # Secondary audit directory - NFS-mounted from audit server dir:/var/audit/egret.2/files # # Directory of last resort local directory dir:/var/audit flags:lo minfree:20 naflags:lo,na plugin:To set up file systems to hold audit binary audit data, see How to Create Partitions for Audit Files. In this example, the minimum free-space level for all audit file systems is set so that a warning is issued when only 10 percent of the file system is available.# audit_control file # dir:/var/audit/examplehost.1/files dir:/var/audit/examplehost.2/files dir:/var/audit/localhost/files flags:lo minfree:10 naflags:lo,naThe audit_warn alias receives the warning. To set up the alias, see How to Configure the audit_warn Email Alias. configuringtextual audit logs log filesconfiguring for auditing service audit logsconfiguring textual audit logs You can instruct the auditing service to collect only binary audit data, or you can instruct the auditing service to collect binary data and text data. In the following procedure, you collect binary audit data and text audit data. The collected text audit data is a subset of the binary data. Preselected audit classes must be specified on the flags line or the naflags line of the audit_control file. The text data is a subset of the preselected binary data. &rolePAstep;Save a backup copy of the audit_control file.# cp /etc/security/audit_control /etc/security/audit_control.save Add a plugin entry.pluginsin auditing servicePlugins in the auditing service implement binary output and syslog output of audit data. The binary plugin is not specified. The syslog plugin must be specified. For more information, see auditd Daemon.A plugin entry has the following format:plugin:name=value; p_flags=classesvalueLists the name of the plugin to use. Currently, the only valid value is the audit_syslog.so.1 plugin. classesflags lineplugin line andnaflags lineplugin line andplugin lineflags line andLists a subset of the audit classes that are specified in the flags line and the naflags line. For more information about the plugin value, see the audit_syslog5 man page. /etc/syslog.conf fileauditing andsyslog.conf fileaudit.notice levelaudit.notice entrysyslog.conf file/var/adm/auditlog filetext audit recordsauditlog filetext audit recordsaudit records/var/adm/auditlog fileAdd an audit.notice entry to the syslog.conf file.The entry includes the location of the log file.# cat /etc/syslog.conf … audit.notice /var/adm/auditlogText logs should not be stored where the binary audit files are stored. The auditreduce command assumes that all files in an audit partition are binary audit files. Create the log file.# touch /var/adm/auditlog svcadm commandrestarting syslog daemonRefresh the configuration information for the syslog service.# svcadm refresh system/system-log Regularly archive the syslog log files.The auditing service can generate extensive output. To manage the logs, see the logadm1M man page. In the following example, the syslog utility collects a subset of the preselected audit classes.# audit_control file dir:/var/audit/host.1/files dir:/var/audit/host.2/files dir:/var/audit/localhost/files flags:lo,ss minfree:10 naflags:lo,na plugin:name=audit_syslog.so.1; p_flags=-lo,-na,-ssThe flags and naflags entries instruct the system to collect all login/logout, nonattributable, and change of system state audit records in binary format. The plugin entry instructs the syslog utility to collect only failed logins, failed nonattributable events, and failed changes of system state. You can change the audit.notice entry in the syslog.conf file to point to a remote system. In this example, the name of the local system is example1. The remote system is remote1.example1 # cat /etc/syslog.conf … audit.notice @remote1The audit.notice entry in the syslog.conf file on the remote1 system points to the log file.remote1 # cat /etc/syslog.conf … audit.notice /var/adm/auditlog configuringaudit_user database audit_user databasespecifying user exceptions usersmodifying audit preselection mask of audit preselection maskmodifying for individual users Definitions for each user are stored in the audit_user database. These definitions modify, for the specified user, the preselected classes in the audit_control file. The nsswitch.conf file determines if a local file or if a name service database is used. To calculate the user's final audit preselection mask, see Process Audit Characteristics. &rolePAstep;Save a backup copy of the audit_user database.# cp /etc/security/audit_user /etc/security/audit_user.orig Add new entries to the audit_user database.In the local database, each entry has the following format:username:always-audit:never-auditusernameSelects the name of the user to be audited. always-auditSelects the list of audit classes that should always be audited for the specified user. never-auditSelects the list of audit classes that should never be audited for the specified user. You can specify multiple classes by separating the audit classes with commas.The audit_user entries are in effect at the user's next login. In this example, the audit_control file contains the preselected audit classes for the system:# audit_control file … flags:lo,ss minfree:10 naflags:lo,naThe audit_user file shows an exception. When the user jdoe uses a profile shell, that use is audited:# audit_user file jdoe:pfThe audit preselection mask for jdoe is a combination of the audit_user settings with the audit_control settings. The auditconfig -getaudit command shows the preselection mask for jdoe:# auditconfig -getaudit audit id = jdoe(1234567) process preselection mask = ss,pf,lo(0x13000,0x13000) terminal id (maj,min,host) = 242,511,example1(192.168.160.171) audit session id = 2138517656 In this example, the login and role activities of four users only are audited on this system. The audit_control file does not preselect audit classes for the system:# audit_control file … flags: minfree:10 naflags:The audit_user file preselects two audit classes for four users:# audit_user file jdoe:lo,pf kdoe:lo,pf pdoe:lo,pf sdoe:lo,pfThe following audit_control file protects the system from unwarranted intrusion. In combination with the audit_user file, this file protects the system more than the first audit_control file in this example.# audit_control file … flags: minfree:10 naflags:lo changingaudit_class file addingaudit classes configuringaudit_class file audit_class fileadding a class audit classesmodifying default addingaudit classes audit classesadding When you create your own audit class, you can place into it just those audit events that you want to audit for your site. When you add the class on one system, you should copy the change to all systems that are being audited. &rolePAstep;Save a backup copy of the audit_class file.# cp /etc/security/audit_class /etc/security/audit_class.orig Add new entries to the audit_class file.Each entry has the following format:0xnumber:name:description0xIdentifies number as hexadecimal. numberDefines the unique audit class mask. nameDefines the letter name of the audit class. descriptionDefines the descriptive name of the audit class. The entry must be unique in the file. Do not use existing audit class masks. This example creates a class to hold a small set of audit events. The added entry to the audit_class file is as follows:0x01000000:pf:profile commandThe entry creates a new audit class that is called pf. Example 30–10 populates the new audit class. If you have customized the audit_class database, make sure that any modifications to audit_user are consistent with the new audit classes. Errors occur when the audit classes in audit_user are not a subset of the audit_class database. configuringaudit_event file changingaudit_event file audit_event filechanging class membership audit eventschanging class membership You might want to change an audit event's class membership to reduce the size of an existing audit class, or to place the event in a class of its own. When you reconfigure audit event-class mappings on one system, you should copy the change to all systems that are being audited. &rolePAstep;Save a backup copy of the audit_event file.# cp /etc/security/audit_event /etc/security/audit_event.orig Change the class to which particular events belong by changing the class-list of the events.Each entry has the following format:number:name:description:class-listnumberIs the audit event ID. nameIs the name of the audit event. descriptionTypically, the system call or executable that triggers the creation of an audit record. class-listIs a comma-separated list of audit classes. This example maps an existing audit event to the new class that was created in Example 30–9. In the audit_control file, the binary audit record captures successes and failures of events in the pf class. The syslog audit log contains only failures of events in the pf class.# grep pf | /etc/security/audit_class 0x01000000:pf:profile command # vi /etc/security/audit_event 6180:AUE_prof_cmd:profile command:ua,as,pf # vi audit_control ... flags:lo,pf plugin:name=audit_syslog.so.1; p_flags=-lo,-pf This example creates a class to hold events that monitor calls to the setuid and setgid programs. The audit_control entries audit all successful invocations of the events in the st class.# vi /etc/security/audit_class 0x00000800:st:setuid class # vi /etc/security/audit_event 26:AUE_SETGROUPS:setgroups(2):st 27:AUE_SETPGRP:setpgrp(2):st 40:AUE_SETREUID:setreuid(2):st 41:AUE_SETREGID:setregid(2):st 214:AUE_SETEGID:setegid(2):st 215:AUE_SETEUID:seteuid(2):st # vi audit_control ... flags:lo,+st plugin:name=audit_syslog.so.1; p_flags=-lo,+st task mapsconfiguring auditing service task mapsenabling auditing service configuringauditing service task map enablingauditing service task map The following task map points to procedures for configuring and enabling the auditing service. The tasks are ordered.Task Description For Instructions 1. (Optional) Change the audit configuration files Selects which events, classes, and users require auditing. Configuring Audit Files (Task Map) 2. Create audit partitions Creates disk space for the audit files, and protects them with file permissions. How to Create Partitions for Audit Files 3. Create the audit_warn alias Defines who should get email warnings when the auditing service needs attention. How to Configure the audit_warn Email Alias 4. (Optional) Change audit policy Defines additional audit data that your site requires. How to Configure Audit Policy 5. Configure auditing in non-global zones Enable non-global zones to collect auditing records Configuring the Auditing Service in Zones (Tasks) 6. Enable auditing Turns on the auditing service. How to Enable the Auditing Service When perzone auditing is turned on, enables auditing in a non-global zone. Example 30–18 7. (Optional) Disable auditing Turns off the auditing service. How to Disable the Auditing Service When perzone auditing is turned on, disables auditing in a non-global zone. Example 30–23 8. (Optional) Reread auditing configuration changes Reads audit configuration changes into the kernel while the auditd daemon is running. How to Update the Auditing Service After the configuration files have been set up for your site, you need to set up disk space for your audit files. You also need to set up other attributes of the auditing service, and then enable the service. This section also contains procedures to refresh the auditing service when you change configuration settings.When a non-global zone is installed, you can choose to audit the zone exactly as the global zone is being audited. Alternatively, to audit the non-global zone individually, you can modify the audit configuration files in the non-global zone. To customize audit configuration files, see Configuring Audit Files (Task Map).creatingpartitions for binary audit files audit directorypartitioning for audit filespartitioning disk for disk partitioningfor binary audit files addingaudit directories storingaudit files The following procedure shows how to create partitions for audit files, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system. &rolePAstep;Determine the amount of disk space that is required.Assign at least 200 Mbytes of disk space per host. However, how much auditing you require dictates the disk space requirements. So, your disk space requirements might be far greater than this figure. Remember to include a local partition for a directory of last resort. Create dedicated audit partitions, as needed.This step is most easily done during server installation. You can also create the partitions on disks that have not yet been mounted on the server. For complete instructions on how to create the partitions, see Chapter 11, Administering Disks (Tasks), in System Administration Guide: Devices and File Systems.# newfs /dev/rdsk/cwtxdyszwhere /dev/rdsk/cwtxdysz is the raw device name for the partition.If the local host is to be audited, also create an audit directory of last resort for the local host. Create mount points for each new partition.# mkdir /var/audit/server-name.nwhere server-name.n is the name of the server plus a number that identifies each partition. The number is optional, but the number is useful when there are many audit directories. Add entries to automatically mount the new partitions.Add a line to the /etc/vfstab file that resembles the following:/dev/dsk/cwtxdysz /dev/rdsk/cwtxdysz /var/audit/server-name.n ufs 2 yes Remove the minimum free space threshold on each partition.If you use the default configuration, a warning is generated when the directory is 80 percent full. The warning removes the reason to reserve free space on the partition.# tunefs -m 0 /var/audit/server-name.n Mount the new audit partitions.# mount /var/audit/server-name.n Create audit directories on the new partitions.# mkdir /var/audit/server-name.n/files Correct the permissions on the mount points and new directories.# chmod -R 750 /var/audit/server-name.n/files On a file server, define the file systems to be made available to other hosts.Often, disk farms are installed to store the audit records. If an audit directory is to be used by several systems, then the directory must be shared through the NFS service. Add an entry that resembles the following for each directory to the /etc/dfs/dfstab file:share -F nfs /var/audit/server-name.n/files On a file server, restart the NFS service.svcadm commandrestarting NFS serverIf this command is the first share command or set of share commands that you have initiated, the NFS daemons might not be running.If the NFS service is offline, enable the service.% svcs \*nfs\* disabled Nov_02 svc:/network/nfs/rquota:default offline Nov_02 svc:/network/nfs/server:default # svcadm enable network/nfs/server If the NFS service is running, restart the service.% svcs \*nfs\* online Nov_02 svc:/network/nfs/client:default online Nov_02 svc:/network/nfs/server:default # svcadm restart network/nfs/server For more information about the NFS service, refer to Setting Up NFS Services in System Administration Guide: Network Services. For information on managing persistent services, see Chapter 15, Managing Services (Overview), in System Administration Guide: Basic Administration and the smf5 man page. audit directorycreating All systems that run the auditing service should have a local file system that can be used if no other file system is available. In this example, a file system is being added to a system that is named egret. Because this file system is only used locally, none of the steps for a file server are necessary.# newfs /dev/rdsk/c0t2d0 # mkdir /var/audit/egret # grep egret /etc/vfstab /dev/dsk/c0t2d0s1 /dev/rdsk/c0t2d0s1 /var/audit/egret ufs 2 yes - # tunefs -m 0 /var/audit/egret # mount /var/audit/egret # mkdir /var/audit/egret/files # chmod -R 750 /var/audit/egret/files In this example, a new file system is created on two new disks that are to be used by other systems in the network.# newfs /dev/rdsk/c0t2d0 # newfs /dev/rdsk/c0t2d1 # mkdir /var/audit/egret.1 # mkdir /var/audit/egret.2 # grep egret /etc/vfstab /dev/dsk/c0t2d0s1 /dev/rdsk/c0t2d0s1 /var/audit/egret.1 ufs 2 yes - /dev/dsk/c0t2d1s1 /dev/rdsk/c0t2d1s1 /var/audit/egret.2 ufs 2 yes - # tunefs -m 0 /var/audit/egret.1 # tunefs -m 0 /var/audit/egret.2 # mount /var/audit/egret.1 # mount /var/audit/egret.2 # mkdir /var/audit/egret.1/files # mkdir /var/audit/egret.2/files # chmod -R 750 /var/audit/egret.1/files /var/audit/egret.2/files # grep egret /etc/dfs/dfstab share -F nfs /var/audit/egret.1/files share -F nfs /var/audit/egret.2/files # svcadm enable network/nfs/server configuringaudit_warn script audit_warn scriptconfiguring The audit_warn script generates mail to an email alias that is called audit_warn. To send this mail to a valid email address, you can follow one of the options that are described in Step 2: &rolePAstep;Configure the audit_warn email alias.Choose one of the following options:OPTION 1 – Replace the audit_warn email alias with another email account in the audit_warn script.Change the email alias in the following line of the script:ADDRESS=audit_warn # standard alias for audit alerts OPTION 2 – Redirect the audit_warn email to another mail account.In this case, you would add the audit_warn email alias to the appropriate mail aliases file. You could add the alias to the local /etc/mail/aliases file or to the mail_aliases database in the name space. The new entry would resemble the following if the root mail account was made a member of the audit_warn email alias:audit_warn: root configuringaudit_startup script audit_startup scriptconfiguring configuringaudit policy audit policysetting disablingaudit policy settingaudit policy Audit policy determines the characteristics of the audit records for the local host. When auditing is enabled, the contents of the /etc/security/audit_startup file determine the audit policy.You can inspect, enable, or disable the current audit policy options with the the auditconfig command. You can also modify the policy options to the auditconfig command in the audit_startup script to make permanent audit policy changes. Assume a role that includes the Audit Control profile, or become superuser.To create a role that includes the Audit Control profile and to assign the role to a user, see Configuring RBAC (Task Map). displayingaudit policiesReview the audit policy.Before auditing is enabled, the contents of the audit_startup file determine the audit policy:#! /bin/sh ... /usr/bin/echo "Starting BSM services." /usr/sbin/auditconfig -setpolicy +cnt Counts rather than drops records /usr/sbin/auditconfig -conf Configures event-class mappings /usr/sbin/auditconfig -aconf Configures nonattributable events View the available policy options.$ auditconfig -lspolicyThe perzone and ahlt policy options can be set only in the global zone. Enable or disable selected audit policy options.# auditconfig -setpolicy prefixpolicyprefixA prefix value of + enables the policy option. A prefix value of - disables the policy option. policySelects the policy to be enabled or to be disabled. The policy is in effect until the next boot, or until the policy is modified by the auditconfig -setpolicy command.For a description of each policy option, see Determining Audit Policy. auditingconfiguring in global zone zonesconfiguring auditing in global zone configuringahlt audit policy ahlt audit policysetting audit policysetting ahlt In this example, the cnt policy is disabled and the ahlt policy is enabled. With these settings, system use is halted when the audit partitions are full. These settings are appropriate when security is more important than availability. For restrictions on setting this policy, see Step 3.The following audit_startup entries disable the cnt policy option and enable the ahlt policy option across reboots:# cat /etc/security/audit_startup #!/bin/sh /usr/bin/echo "Starting BSM services." /usr/sbin/deallocate -Is /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf /usr/sbin/auditconfig -setpolicy -cnt /usr/sbin/auditconfig -setpolicy +ahlt configuringaudit policy temporarily auditconfig commandsetting audit policy addingaudit policy In this example, the auditd daemon is running and the ahlt audit policy has been set. The seq audit policy is added to the current policy. The seq policy adds a sequence token to every audit record. This is useful for debugging the auditing service when audit records are corrupted, or when records are being dropped.The + prefix adds the seq option to the audit policy, rather than replaces the current audit policy with seq. The auditconfig command puts the policy in effect until the next invocation of the command, or until the next boot.$ auditconfig -setpolicy +seq $ auditconfig -getpolicy audit policies = ahlt,seq configuringperzone audit policy perzone audit policysetting audit policysetting perzone In this example, the perzone audit policy is set in the audit_startup script in the global zone. When a zone boots, the non-global zone collects audit records according to the audit configuration settings in its zone.$ cat /etc/security/audit_startup #!/bin/sh /usr/bin/echo "Starting BSM services." /usr/sbin/deallocate -Is /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf /usr/sbin/auditconfig -setpolicy +perzone /usr/sbin/auditconfig -setpolicy +cnt In this example, the audit daemon is running and audit policy has been set. The auditconfig command changes the ahlt and cnt policies for the duration of the session. With these settings, audit records are dropped, but counted, when the audit file system is full. For restrictions on setting the ahlt policy, see Step 3.$ auditconfig -setpolicy +cnt $ auditconfig -setpolicy -ahlt $ auditconfig -getpolicy audit policies = cnt,seqWhen the changes are put in the audit_startup file, the policies are permanently in effect:$ cat /etc/security/audit_startup #!/bin/sh /usr/bin/echo "Starting BSM services." /usr/sbin/deallocate -Is /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf /usr/sbin/auditconfig -setpolicy +cntThe ahlt option does not have to be specified in the file, because the ahlt policy option is disabled by default. This setting is appropriate when availability is more important than the security that audit records provide. enablingauditing service bsmconv scriptenabling auditing service auditingenabling scriptsbsmconv to enable auditing enablingauditing startingauditing This procedure enables the auditing service for all zones. To start the audit daemon in a non-global zone, see Example 30–18.When auditing is configured securely, the system is in single-user mode until auditing is enabled. You can also enable auditing in multiuser mode. You should perform this procedure as superuser after completing the following tasks:Planning – Planning Solaris Auditing (Task Map) Customizing audit files – Configuring Audit Files (Task Map) Setting up audit partitions – How to Create Partitions for Audit Files Setting up audit warning messages – How to Configure the audit_warn Email Alias Setting audit policy – How to Configure Audit Policy Run the script that enables the auditing service.Go to the /etc/security directory, and execute the bsmconv script there.# cd /etc/security # ./bsmconv This script is used to enable the Basic Security Module (BSM). Shall we continue with the conversion now? [y/n] y bsmconv: INFO: checking startup file. bsmconv: INFO: turning on audit module. bsmconv: INFO: initializing device allocation. The Basic Security Module is ready. If there were any errors, please fix them now. Configure BSM by editing files located in /etc/security. Reboot this system now to come up with BSM enabled.For the effects of the script, see the bsmconv1M man page. Reboot the system.# rebootThe startup file /etc/security/audit_startup causes the auditd daemon to run automatically when the system enters multiuser mode.Another effect of the script is to turn on device allocation. To configure device allocation, see Managing Device Allocation (Task Map). In the following example, the global zone administrator turned on perzone policy after auditing was enabled in the global zone and after the non-global zone had booted. The zone administrator of the non-global zone has configured the audit files for the zone, and then starts the audit daemon in the zone.zone1# svcadm enable svc:/system/auditd disablingauditing service auditingdisabling bsmunconv scriptdisabling auditing service If the auditing service is no longer required at some point, this procedure returns the system to the system state before auditing was enabled. If non-global zones are being audited, their auditing service is also disabled.disablingdevice allocationdevice allocationdisablingThis command also disables device allocation. Do not run this command if you want to be able to allocate devices. To disable auditing and retain device allocation, see Example 30–19. Become superuser and bring the system into single-user mode.% su Password: <Type root password> # init SFor more information, see the init1M man page. Run the script to disable auditing.Change to the /etc/security directory, and execute the bsmunconv script.# cd /etc/security # ./bsmunconvAnother effect of the script is to disable device allocation.For information on the full effect of the bsmunconv script, see the bsmconv1M man page. Bring the system into multiuser mode.# init 6 In this example, the auditing service stops collecting records, but device allocation continues to work. All values from the flags, naflags, and plugin entries in the audit_control file are removed, as are all user entries in the audit_user file. # audit_control file … flags: minfree:10 naflags: plugin: # audit_user fileThe auditd daemon runs, but no audit records are kept. In this example, the auditing service stops running in the zone where the auditing service is disabled. Device allocation continues to work. When this command is run in the global zone, and the perzone audit policy is not set, auditing is disabled for all zones, not just the global zone.# svcadm disable svc:/system/auditd updatingauditing service audit commandupdating auditing service auditingupdating information restartingaudit daemonauditd daemonrereading information for the kernelThis procedure restarts the auditd daemon when you have made changes to audit configuration files after the daemon has been running. Assume a role that includes the Audit Control rights profile, or become superuser.To create a role that includes the Audit Control rights profile and assign the role to a user, see Configuring RBAC (Task Map). Choose the appropriate command.audit_control filechanging kernel mask for nonattributable eventsIf you modify the naflags line in the audit_control file, change the kernel mask for nonattributable events.$ /usr/sbin/auditconfig -aconfYou can also reboot. audit commandpreselection mask for existing processes (s option)auditd daemonrereading the audit_control fileaudit_control fileaudit daemon rereading after editingauditd daemonrereading the audit_control fileIf you modify other lines in the audit_control file, reread the audit_control file.The audit daemon stores information from the audit_control file internally. To use the new information, either reboot the system or instruct the audit daemon to read the modified file.$ /usr/sbin/audit -sAudit records are generated based on the audit preselection mask that is associated with each process. Executing audit -s does not change the masks in existing processes. To change the preselection mask for an existing process, you must restart the process. You can also reboot. The audit -s command causes the audit daemon to re-read the directory and minfree values from the audit_control file. The command changes the generation of the preselection mask for processes spawned by subsequent logins. If you modify the audit_event file or the audit_class file while the audit daemon is running, refresh the auditing service.Read the modified event-class mappings into the system, and ensure that each user who uses the machine is correctly audited.$ auditconfig -conf $ auditconfig -setumask auid classesauidIs the user ID. classesAre the preselected audit classes. To change audit policy on a running system, see Example 30–15. startingaudit daemonIn this example, the system is brought down to single-user mode, then back up to multiuser mode. When the system is brought into multiuser mode, modified audit configuration files are read into the system.# init S # init 6 The auditing service audits the entire system, including audit events in zones. A system that has installed non-global zones can audit all zones identically, or can control auditing per zone. For background, see Auditing on a System With Zones. To plan, see How to Plan Auditing in Zones.configuringidentical auditing for non-global zones auditingconfiguring identically for all zones This procedure enables audits every zone identically. This method requires the least computer overhead and administrative resources. Configure the global zone for auditing.Complete the tasks in Configuring Audit Files (Task Map). Complete the tasks in Configuring and Enabling the Auditing Service (Task Map), with the following exceptions.Do not enable perzone audit policy. Do not enable the auditing service. You enable the auditing service after you have configured the non-global zones for auditing. Copy the audit configuration files from the global zone to every non-global zone.Copy any of the following files that you have edited: audit_class, audit_control, audit_event, audit_user. Do not copy audit_startup or audit_warn. You do not have to copy files that you have not edited.You have two options. As superuser, you can copy the files, or loopback mount the files. The non-global zone must be running.Copy the files.From the global zone, list the /etc/security directory in the non-global zone.# ls /zone/zonename/etc/security/ Copy the audit configuration files to the zone's /etc/security directory.# cp /etc/security/audit-file /zone/zonename/etc/security/audit-fileLater, if you modify an audit configuration file in the global zone, you re-copy the file to the non-global zones. Loopback mount the configuration files.From the global zone, halt the non-global zone. # zoneadm -z non-global-zone halt Create a read-only loopback mount for every audit configuration file that you modified in the global zone.# zonecfg -z non-global-zone add filesystem set special=/etc/security/audit-file set directory=/etc/security/audit-file set type=lofs add options [ro,nodevices,nosetuid] end exit In this example, the system administrator has modified the audit_class, audit_event, audit_control, audit_user, audit_startup, and audit_warn files.The audit_startup and audit_warn files are read in the global zone only, so do not have to be loopback mounted into the non-global zones.On this system, machine1, the administrator has created two non-global zones, machine1–webserver and machine1–appserver.# zoneadm -z machine1-webserver halt # zoneadm -z machine1-appserver halt # zonecfg -z machine1-webserver add filesystem set special=/etc/security/audit_class set directory=/etc/security/audit_class set type=lofs add options [ro,nodevices,nosetuid] end add filesystem set special=/etc/security/audit_event set directory=/etc/security/audit_event set type=lofs add options [ro,nodevices,nosetuid] end add filesystem set special=/etc/security/audit_control set directory=/etc/security/audit_control set type=lofs add options [ro,nodevices,nosetuid] end add filesystem set special=/etc/security/audit_user set directory=/etc/security/audit_user set type=lofs add options [ro,nodevices,nosetuid] end exit # zonecfg -z machine1-appserver add filesystem set special=/etc/security/audit_class set directory=/etc/security/audit_class set type=lofs add options [ro,nodevices,nosetuid] end ... exitWhen the zones are rebooted, the audit configuration files are read-only in the zones. When the global administrator modifies the files in the global zone, the changes are immediately effective in the non-global zones. configuringper-zone auditing auditingconfiguring per-zone perzone audit policyusing This procedure enables separate zone administrators to control the auditing service in their zone. For the complete list of policy options, see the auditconfig1M man page. In the global zone, configure auditing, but do not enable the auditing service.Complete the tasks in Configuring Audit Files (Task Map). Complete the tasks in Configuring and Enabling the Auditing Service (Task Map), with the following exceptions.Add the perzone audit policy. For an example, see Example 30–16. Do not enable the auditing service. You enable the auditing service after the non-global zones are configured for auditing. In each non-global zone, configure the audit files.If you are planning to disable auditing in the non-global zone, you can skip this step. To disable auditing, see Example 30–23. Complete the tasks in Configuring Audit Files (Task Map). Follow the procedures that are described in Configuring and Enabling the Auditing Service (Task Map). Do not configure system-wide audit settings.Specifically, do not add the perzone or ahlt to the non-global zone's audit_startup file. And do not run the bsmconv command from the non-global zone. Enable auditing in your zone.When the global zone reboots after auditing is configured, auditing is automatically enabled in your zone.If the global zone administrator activates the perzone audit policy after the system is booted, individual zone administrators must enable auditing. For details, see Example 30–18. In the global zone, enable the auditing service.For the procedure, see How to Enable the Auditing Service. This example works if the global zone has set the perzone audit policy. The zone administrator of the noaudit zone disables auditing for that zone. Because the administrator planned to disable auditing, she did not edit the audit configuration files.noauditzone # svcadm disable svc:/system/auditd task mapsmanaging audit records managing audit records task map The following task map points to procedures for selecting, analyzing, and managing audit records.Task Description For Instructions Display the formats of audit records Shows the kind of information that is collected for an audit event, and the order in which the information is presented. How to Display Audit Record Formats Merge audit records Combines audit files from several machines into one audit trail. How to Merge Audit Files From the Audit Trail Select records to examine Selects particular events for study. How to Select Audit Events From the Audit Trail Display audit records Enables you to view binary audit records. How to View the Contents of Binary Audit Files Clean up incorrectly named audit files Provides an end timestamp to audit files that were inadvertently left open by the auditing service. How to Clean Up a not_terminated Audit File Prevent audit trail overflow Prevents the audit file systems from becoming full. How to Prevent Audit Trail Overflow By managing the audit trail, you can monitor the actions of users on your network. Auditing can generate large amounts of data. The following tasks show you how to work with all this data.displayingaudit record formats viewingaudit record formats audit recordsdisplaying formats ofprocedure bsmrecord commanddisplaying audit record formats displayingformat of audit records bsmrecord commanddisplaying audit record formats To write scripts that can find the audit data that you want, you need to know the order of tokens in an audit event. The bsmrecord command displays the audit event number, audit class, selection mask, and record format of an audit event. a optionbsmrecord commandbsmrecord commandlisting all formatsPut the format of all audit event records in an HTML file.The a option lists all audit event record formats. The h option puts the list in HTML format that can be displayed in a browser.% bsmrecord -a -h > audit.events.htmlWhen you display the *html file in a browser, use the browser's Find tool to find specific records.bsmrecord commandexampleh optionbsmrecord commandformat of audit recordsbsmrecord commandaudit recordsformatting exampleFor more information, see the bsmrecord1M man page. audit recordsdisplaying formats of a program p optionbsmrecord command bsmrecord commandlisting formats of program In this example, the format of all audit records that are generated by the login program are displayed. The login programs include rlogin, telnet, newgrp, role login to the Solaris Management Console, and Solaris Secure Shell.% bsmrecord -p login terminal login program /usr/sbin/login See login(1) /usr/dt/bin/dtlogin See dtlogin event ID 6152 AUE_login class lo (0x00001000) header subject text error message or "successful login" return login: logout program various See login(1) event ID 6153 AUE_logout … newgrp program newgrp See newgrp login event ID 6212 AUE_newgrp_login … rlogin program /usr/sbin/login See login(1) - rlogin event ID 6155 AUE_rlogin … SMC: role login program SMC server See role login event ID 6173 AUE_role_login … /usr/lib/ssh/sshd program /usr/lib/ssh/sshd See login - ssh event ID 6172 AUE_ssh … telnet login program /usr/sbin/login See login(1) - telnet event ID 6154 AUE_telnet … audit recordsdisplaying formats of an audit class c optionbsmrecord command bsmrecord commandlisting formats of class In this example, the format of all audit records in the fd class are displayed.% bsmrecord -c fd rmdir system call rmdir See rmdir(2) event ID 48 AUE_RMDIR class fd (0x00000020) header path [attribute] subject [use_of_privilege] return unlink system call unlink See unlink(2) event ID 6 AUE_UNLINK … unlinkat system call unlinkat See openat(2) event ID 286 AUE_UNLINKAT … mergingbinary audit records audit recordsmerging auditreduce commandmerging audit records administeringauditingauditreduce command auditreduce commandexamples audit filescombining audit filesreducing audit recordsreducing audit files auditreduce commandO option combining audit filesauditreduce command O optionauditreduce command reducingaudit files size of audit filesreducing managingaudit files displayingselected audit records deletingaudit filesBy merging all audit files in all the audit directories, you can analyze the contents of the entire audit trail. The auditreduce command merges all the records from its input files into a single output file. The input files can then be deleted. When the output file is placed in a directory that is named /etc/security/auditserver-name/files, the auditreduce command can find the output file without your specifying the full path.This procedure applies only to binary audit records. Assume a role that includes the Audit Review profile, or become superuser.The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map). Create a directory for storing merged audit files.# mkdir audit-trail-directory Limit access to the directory.# chmod 700 audit-trail-directory # ls -la audit-trail-directory drwx------ 3 root sys 512 May 12 11:47 . drwxr-xr-x 4 root sys 1024 May 12 12:47 .. Merge the audit records in the audit trail.Change directories to the audit-trail-directory and merge the audit records into a file with a named suffix. All directories that are listed in the dir lines of the audit_control file on the local system are merged.# cd audit-trail-directory # auditreduce -Uppercase-option -O suffixauditreduce commandusing uppercase optionsThe uppercase options to the auditreduce command manipulate files in the audit trail. The uppercase options include the following:ASelects all of the files in the audit trail. CSelects complete files only. This option ignores files with the suffix not_terminated. MSelects files with a particular suffix. The suffix can be a machine name, or it can be a suffix that you have specified for a summary file. OCreates an audit file with 14-character timestamps for both the start time and the end time, with the suffix suffix in the current directory. A optionauditreduce commandIn the following example, the System Administrator role, sysadmin, copies all files from the audit trail into a merged file.$ whoami sysadmin $ mkdir /var/audit/audit_summary.dir $ chmod 700 /var/audit/audit_summary.dir $ cd /var/audit/audit_summary.dir $ auditreduce -A -O All $ ls *All 20030827183214.20030827215318.AllC optionauditreduce commandIn the following example, only complete files are copied from the audit trail into a merged file.$ cd /var/audit/audit_summary.dir $ auditreduce -C -O Complete $ ls *Complete 20030827183214.20030827214217.CompleteM optionauditreduce commandIn the following example, only complete files are copied from the example1 machine into a merged file.$ cd /var/audit/audit_summary.dir $ auditreduce -M example1 -O example1summ $ ls *summ 20030827183214.20030827214217.example1summ D optionauditreduce commandThe D option to the auditreduce command deletes an audit file when you copy it to another location. In the following example, the complete audit files from one system are copied to the summary directory for later examination.$ cd /var/audit/audit_summary.dir $ auditreduce -C -O daily_example1 -D example1 $ ls *example1 20030827183214.20030827214217.daily_example1The audit files from the example1 system that were the input to the *daily_example1 file are removed when this command successfully completes. selectingevents from audit trail audit eventsselecting from audit trail audit trailselecting events from auditreduce commandselecting audit records selectingaudit records auditreduce commandusing lowercase optionsauditreduce commandfiltering optionsYou can filter audit records for examination. For the complete list of filtering options, see the auditreduce1M man page. Assume a role that includes the Audit Review profile, or become superuser.The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map). Select the kinds of records that you want from the audit trail, or from a specified audit file.auditreduce -lowercase-option argument [optional-file]argumentSpecific argument that a lowercase option requires. For example, the c option requires an argument of an audit class, such as ua. dSelects all of the events on a particular date. The date format for argument is yyymmdd. Other date options, b and a, select events before and after a particular date. uSelects all of the events attributable to a particular user. The argument is a user name. Another user option, e, selects all of the events attributable to an effective user ID. cSelects all of the events in a preselected audit class. The argument is an audit class name. mSelects all of the instances of a particular audit event. The argument is an audit event. optional-fileIs the name of an audit file. b optionauditreduce commandThe auditreduce command can eliminate the less interesting records as it combines the input files. For example, you might use the auditreduce command to retain only the login and logout records in audit files that are over a month old. If you need to retrieve the complete audit trail, you could recover the trail from backup media.# cd /var/audit/audit_summary.dir # auditreduce -O lo.summary -b 20030827 -c lo; compress *lo.summary c optionauditreduce commandIn this example, all the records of nonattributable audit events in the audit trail are collected into one file.$ whoami sysadmin $ cd /var/audit/audit_summary.dir $ auditreduce -c na -O nasumm $ ls *nasumm 20030827183214.20030827215318.nasummThe merged nasumm audit file is time stamped with the beginning and ending date of the na records. You can select audit files manually to search just the named set of files. For example, you can further process the *nasumm file in the previous example to find system boot events. To do so, you would specify the file name as the final argument to the auditreduce command.$ auditreduce -m 113 -O systemboot 20030827183214.20030827215318.nasumm 20030827183214.20030827183214.systembootThe 20030827183214.20030827183214.systemboot file contains only system boot audit events. e optionauditreduce commandIn this example, the records in the audit trail that contain the name of a particular user are merged. The e option finds the effective user. The u option finds the audit user.$ cd /var/audit/audit_summary.dir $ auditreduce -e tamiko -O tamikod optionauditreduce commandYou can look for specific events in this file. In the following example, what time the user logged in and out on Sept 7, 2003, your time, is checked. Only those files with the user's name as the file suffix are checked. The short form of the date is yyyymmdd.# auditreduce -M tamiko -O tamikolo -d 20030907 -u tamiko -c lo audit filescopying messages to single file auditreduce commandc option copying audit messages to single file audit messagescopying to single file c optionauditreduce command In this example, login and logout messages for a particular day are selected from the audit trail. The messages are merged into a target file. The target file is written in a directory other than the normal audit root directory.# auditreduce -c lo -d 20030827 -O /var/audit/audit_summary.dir/logins # ls /var/audit/audit_summary.dir/*logins /var/audit/audit_summary.dir/20030827183936.20030827232326.logins viewingbinary audit files audit eventsviewing from binary files audit trailviewing events from praudit commandviewing audit records displayingaudit records audit recordsdisplaying administeringauditingaudit files The praudit command enables you to view the contents of binary audit files. You can pipe the output from the auditreduce command, or you can read a particular audit file. The x option is useful for further processing. Assume a role that includes the Audit Review profile, or become superuser.The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map). Use one of the following praudit commands to produce the output that is best for your purposes.The following examples show praudit output from the same audit event. Audit policy has been set to include the sequence and trailer tokens.The praudit -s command displays audit records in a short format, one token per line. Use the l option to place each record on one line.$ auditreduce -c lo | praudit -s header,101,2,AUE_rlogin,,example1,2003-10-13 11:23:31.050 -07:00 subject,jdoe,jdoe,staff,jdoe,staff,749,749,195 1234 server1 text,successful login return,success,0 sequence,1298 The praudit -r command displays audit records in their raw format, one token per line. Use the l option to place each record on one line.$ auditreduce -c lo | praudit -r 21,101,2,6155,0x0000,192.168.60.83,1062021202,64408258 36,2026700,2026700,10,2026700,10,749,749,195 1234 192.168.60.17 40,successful login 39,0,0 47,1298 new featurescommandspraudit -xviewingXML audit recordsThe praudit -x command displays audit records in XML format, one token per line. Use the l option to place the XML output for one record on one line.$ auditreduce -c lo | praudit -x <record version="2" event="login - rlogin" host="example1" time="Wed Aug 27 14:53:22 PDT 2003" msec="64"> <subject audit-uid="jdoe" uid="jdoe" gid="staff" ruid="jdoe" rgid="staff" pid="749" sid="749" tid="195 1234 server1"/> <text>successful login</text> <return errval="success" retval="0"/> <sequence seq-num="1298"/> </record> audit filesprinting printingaudit log praudit commandpiping auditreduce output to With a pipe to the lp command, the output for the entire audit trail goes to the printer. The printer should have limited access.# auditreduce | praudit | lp -d example.protected.printer log filesaudit records audit recordsconverting to readable format converting audit records to readable format readable audit record formatconverting audit records to praudit commandconverting audit records to readable format In this example, a summary login file is examined in a terminal window.# cd /var/audit/audit_summary.dir/logins # praudit 20030827183936.20030827232326.logins | more displayingaudit records in XML format audit recordsdisplaying in XML format praudit commandXML format XML formataudit records In this example, the audit records are converted to XML format.# praudit -x 20030827183214.20030827215318.logins > 20030827.logins.xmlThe *xml file can be displayed in a browser. The contents of the file can be operated on by a script to extract the relevant information. cleaning upbinary audit files audit trailcleaning up not terminated files auditreduce commandcleaning up audit files deletingnot_terminated audit files Occasionally, an audit daemon exits while its audit file is still open. Or, a server becomes inaccessible and forces the machine to switch to a new server. In such instances, an audit file remains with the string not_terminated as the end timestamp, even though the file is no longer used for audit records. Use the auditreduce -O command to give the file the correct timestamp. List the files with the not_terminated string on your audit file system in order of creation.# ls -R1t audit-directory*/files/* | grep not_terminatedRLists files in subdirectories. tLists files from most recent to oldest. 1Lists the files in one column. Clean up the old not_terminated file.Specify the name of the old file to the auditreduce -O command.# auditreduce -O system-name old-not-terminated-file Remove the old not_terminated file.# rm system-name old-not-terminated-file In the following example, not_terminated files are found, renamed, then the originals are removed.ls -R1t */files/* | grep not_terminated …/egret.1/20030908162220.not_terminated.egret …/egret.1/20030827215359.not_terminated.egret # cd */files/egret.1 # auditreduce -O egret 20030908162220.not_terminated.egret # ls -1t 20030908162220.not_terminated.egret Current audit file 20030827230920.20030830000909.egret Input (old) audit file 20030827215359.not_terminated.egret # rm 20030827215359.not_terminated.egret # ls -1t 20030908162220.not_terminated.egret Current audit file 20030827230920.20030830000909.egret Cleaned up audit fileThe start timestamp on the new file reflects the time of the first audit event in the not_terminated file. The end timestamp reflects the time of the last audit event in the file. preventingaudit trail overflow audit trailpreventing overflow audit filesmanaging managingaudit files archivingaudit files administeringauditingaudit trail overflow prevention managingaudit trail overflow configuringaudit trail overflow prevention overflow preventionaudit trail storage overflow preventionaudit trail If your security policy requires that all audit data be saved, do the following: Set up a schedule to regularly archive audit files.Archive audit files by backing up the files to offline media. You can also move the files to an archive file system.logadm commandarchiving textual audit filesIf you are collecting text audit logs with the syslog utility, archive the text logs. For more information, see the logadm1M man page. deletingarchived audit filesSet up a schedule to delete the archived audit files from the audit file system. Save and store auxiliary information.Archive information that is necessary to interpret audit records along with the audit trail. Keep records of which audit files have been archived. Store the archived media appropriately. Reduce the volume of audit data that you store by creating summary files.You can extract summary files from the audit trail by using options to the auditreduce command. The summary files contain only records for specified types of audit events. To extract summary files, see Example 30–28 and Example 30–32.